Risk and Opportunity Register - Master Sheet 


Date raised Opportunity/risk description (opportunities Risk Appetite |Risk appetite} IRSP Goals Current Current | Current Proximity | Strategic Target Target 
shaded in blue) area Probability | Impact | Overall Probability Overall 
priority Priority 


1 01/04/17 R4 Capacity and Capability: (Cause) Risk that Infrastructure Open All goals 5 4 Same <> | Medium | Corporate 2 
increasing demand, public and stakeholder and resources term 
expectations, and/or additional unplanned 
work and/or reduced availability of staff 
results in (Threat) key resources being 
overstretched and having insufficient capacity, 
capability, knowledge and/or skills to deliver 
all business plan requirements, (Impact) 
resulting in business operational issues and 
pinch points, possible failure to deliver 
regulatory priority activities and impacting 
upon the ICO’s ability to deliver all of its 
intended objectives and outcomes. 


2 30/04/19 R73 |Compliance culture: (Cause) Risk that as Organisational Cautious All goals 4 Same <> | Medium | Corporate 
demand and capacity increase and/or changes,} controls and term 
the ICO’s infrastructure and accountability compliance 
culture is unable to (Threat) keep up with the 
pace of change to comply with legal and other 
obligations expected of a modern regulator 
(Impact) impacting upon its ability to maintain 
and increase public trust and be an effective 
and knowledgeable regulator. 
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3 28/06/17 R3 Regulatory Cautious 
enforcement 
. 


Financial Resilience: (Cause) Risk that Infrastructure 
sensitivities in the income growth forecast and | and resources 
new territories of expenditure create 

inaccurate financial forecasting and planning 

assumptions (Threat) leading to insufficient 

funding and financial stress (Impact) impeding 

the ICO’s ability to meet its statutory 

requirements, and full delivery of all of its 

intended IRSP goals and outcomes. 


30/07/18 


Risk and Opportunity Register - Master Sheet 


Date raised Opportunity/risk description (opportunities Risk Appetite 
shaded in blue) area 


5 06/04/20 R84 |Major Incident: (Cause) Risk that an internal or] Infrastructure 
external major incident occurs (e.g. extreme and resources 
weather, fire incident, chemical incident, 
pandemic (e.g. Covid-19), or deliberate 
incidents such as terrorist acts) which renders 
the ICO unable to utilise part or all of its 
resources and infrastructure (such as staff, 
buildings, IT systems etc) such that (Threat) the 
ICO is unable to deliver some, or in extreme 
cases all of its regulation services, (Impact) 
increasing public information rights risk for a 
period of time and resulting in a reduced 
achievement of the IRSP Goals over the longer 
period. 


06/04/20 R85 |Managing ICO Reputation: (C) Risk that Reputational 
decisions are taken without giving due 
consideration to the strategic reputational 
impact on the ICO (T) such that action is not 
taken at the right time to proactively and 
effectively manage the reputation of the ICO 
(I) impacting upon the ICO’s ability to increase 
public trust and confidence, provide excellent 
public service and to demonstrate that it is an 
effective and knowledgeable regulator. 
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7 [30/06/17 R2 Organisational All goals 
change and 
development 


3 Same < | Medium | Corporate 2 2 
term 


08/12/20 Regulatory Action: (Cause) We do not Regulatory Cautious 1,2,5,6 
effectively take account of pertinent aspects of| enforcement 
a case, have flawed or ineffective processes 
and/or decision-making that mean (threat) we 
take disproportionate, inappropriate, or no 
action against an organisation (impact) which 
allows poor information rights practices to 
continue and/or proliferate and damages the 
ICO’s credibility as a regulator to enforce the 
laws, increase the public’s trust and confidence 
in how data is used, and maintain and develop 
influence within the information rights 
regulatory community. 
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27/09/18 R10 |Statutory Codes: (Cause) Risk that significantly Regulatory Open All goals 3 4 
complex and contentious subject matter (e.g. guidance and 
economic impact), alongside competing strategy 
stakeholder audience expectations slows the 
drafting and implementation of Statutory 
Codes of Practice such that (Threat) the ICO is 
unable to deliver the Codes within required 
timescales and to the desired quality through 
the eyes of external stakeholders (Impact) 
impacting negatively on the ICO’s reputation 
and relevance as a regulator to deliver across 
all stakeholders, decreasing its public trust, 
influence and effectiveness. 

10 27/11/18 R61 _~—_‘|Litigation Resource: (Cause) Risk that multiple | Infrastructure Open All goals 3 4 
or a single significant legal challenge or trend and resources 
emerges (Threat) diverting significant financial 
and non-financial resources into possibly 
lengthy legal disputes (Impact) impacting upon 
the ICO’s ability to legally defend itself which 
could have a domino effect on its decision 
making, its financial resilience, its reputation as 
an effective regulator and diluting its 
operational ability to achieve all of its IRSP 
goals. 


Same <> | Medium | Corporate 2 2 
term 


Same <> | Medium | Corporate 2 2 
term 
New Medium | Corporate 2 3 
term 
ew 


N Medium | Corporate 2 2 
term 


11 07/07/20 R88 |Future role of the ICO: (Cause) Government Organisational Open All goals 
led reviews of the role of the future data change and 
protection regulatory framework, and of the development 
ICO’s role, governance and remit (Threat) leads 
to organisational and stakeholder uncertainty 
(Impact) impeding the ability of the ICO to 
regulate with maximum efficiency and 
effectiveness, plan for the future and have 
clarity of its strategic objectives. 
12 06/04/20 R83 |Staff Wellbeing and Welfare: (Cause) Risk that | Organisational Open All goals 
the ongoing pandemic and lockdown change and 
arrangements have a detrimental impact upon | development 
the physical, emotional and mental wellbeing 
of staff such that (threat) capacity may be 
reduced, as staff are less engaged or able to 
perform at their best at a time of increasing 
demand resulting in (impact) possible business 
operational issues and pinch points with 
possible failure to deliver priority activities to 
expected levels. 
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13 08/03/19 R72  |SMEs: (Cause) Risk that the ICO does not 
sufficiently recognise and act on the needs of 
small organisations such that the ICO (Threat) 
does not provide SMEs with value for money 
relevant services resulting in (impact) low 
levels or awareness, poor trust and 
information rights practices from SMEs 
impacting upon the ICO’s delivery of the IRSP 
goals around increasing public trust and 
confidence, improving standards of practice 
and being an effective regulator. 


14 15/06/20 R87 |international position: (Cause) The uncertain 
global context in which ICO operates (in 
particular the UK’s future global relationships 
with and outside the EU and implications of 
the Covid19 pandemic) lead to (threat) the ICO 
failing to develop and maintain effective 
international relationships or effectively 
deliver aspects of its domestic regulatory role, 
thereby reducing opportunities to develop 
global collaborative DP approaches on policy, 
tech and interoperability and (Impact) 
meaning the ICO is unable to maintain and 
develop influence within the global 
information rights regulatory community, 
increase public trust and confidence and 
improve standards of information rights. 


16 14/09/20 R89  |Compensation: (Cause) The ICO is unable to 
award compensation to complainants unlike 
other ombudsman services. As a consequence, 
(Threat) consumers go to an ombudsman 
scheme where compensation can be awarded, 
(impact) so the ICO is not seen as a relevant 
regulator and fails to capture data about these 
breaches. 
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47 08/12/20 R91 |Targeted Regulatory Activity: (Cause) we do Regulatory Cautious All goals 3 New Long term | Corporate 
not have effective processes and practices in assessment 
place to take a robust risk-based prioritisation 
approach to our regulatory work (threat) so we 
do not target our work to the most important 
and impactful areas of harm (impact) meaning 
that we miss opportunities to correct poor 
information rights practices and our regulatory 
work does not effectively align to deliver all of 
the IRSP goals. 

48 02/09/19 R81  |Management Board Resilience: (cause) Staff recruitment,| Averse All goals 3 Same <> | Medium | Corporate 
Management Board and Executive Team retention and term 
capacity and resilience (threat) may not be development 
sufficient to retain clarity of leadership and 
direction during a critical period of change to 
the regulatory landscape (impact) resulting in 
delay to the achievement of the IRSP goals and 
operational, regulatory and organisational 
priorities 

49 22/09/18 R26 __| Improving Productivity: (Cause) Risk that Organisational Open All goals 2 Down | | Medium | Corporate 
growth in the ICO’s investment in change and term 
infrastructure, people and process resources development 
(Threat) is not effectively utilised to reduce 
contradictory and duplication of efforts, 
minimise delivery gaps, exploit new business 
models and maximise best use of ICO 
resources such that (Impact) whilst the ICO 
grows it does not improve efficiency and 
productivity and is no better placed to achieve 
the ICO’s IRSP goals and corporate outcomes. 

= E i 

<E rtners and + | ar regulators presen term 


Target 
Overall 
Priority 


Risk and Opportunity Register - Master Sheet 


Date raised Opportunity/risk description (opportunities Risk Appetite |Risk appetite} IRSP Goals Current Current | Current Proximity | Strategic Target Target 
shaded in blue) area Probability | Impact | Overall Probability Overall 
priority Priority 


70 01/04/18 R21 Cyber Security: (Cause) Risk that although the Security Averse All goals Same <> Longterm Corporate 
ICO is continuously vigilant with its cyber 
security controls that as the ICO’s profile 
increases and it innovates with new 
technology systems, (Threat) it becomes 
increasingly at risk of a security breach, either 
malicious or inadvertent from within the 
organisation or from external attacks by cyber- 
criminals. (Impact) This could result in many 
negative impacts, such as distress to 
individuals, legal, financial and serious 
reputational damage to the ICO, possible 
penetration and crippling of the ICO’s IT 


systems preventing it from delivering its 
regulatory functions and IRSP goals 


71 06/04/20 R86 Political and Economic Environment: (Cause) Regulatory Open All goals 2 3 


New Longterm Corporate 


Risk that the ICO doesn't have the plans or the | guidance and 
ability to respond to changes in the economic strategy 
climate, government policy or to government 

attitudes and reviews, meaning that the ICO 

doesn't (Threat) adapt and flex quickly enough 

or in the right way to meet changing 

stakeholder views and needs (Impact) 

preventing the achievement of the IRSP goal to 

be an effective and efficient regulator. 


